ASA Connection Error: ‘The First Key-Exchange Algorithm’

KB ID 0001476


When attempting to connect to a Cisco ASA firewall via SSH you see the following error;

SSH Error Diffie Hellman Group 1

The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.
Do you want to continue with this connection?

Clicking ‘Yes’ will let you connect.


When connected, execute the following commands;

conf t

ssh key-exchange group dh-group14-sha1

write mem

Fix SSH Error Diffie Hellman Group 1

Problem solved.

Related Articles, References, Credits, or External Links

How Diffie Hellman Works

Author: PeteLong

Share This Post On


  1. You may want to edit this article – the command in the grey field is wrong, but what you have in the putty screenshot is correct

    Post a Reply
    • Ah Typo! Thanks Peter – fixed!

      Post a Reply
  2. I am planning to change “ssh key-exchange group dh-group14-sha1” to “ssh key-exchange group dh-group1-sha1” in the production environment.

    Is there a chance that i may loose connectivity and can not get in remotely ?

    Post a Reply
    • If you concerned open an ASDM connection then execute the command.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *